Virtual Organization Membership Service eXtension

(VOX)

Ian Fisk

On behalf of the VOX Project

Fermilab

09/29/2004 CHEP 2004 2

Authors and contributors

Richard Baker (BNL)

Lothar Bauderick (Fermilab)

Eileen Berman (Fermilab)

Gabriele Carcassi (BNL)

Ian Fisk (Fermilab)

Robert Gardner (University of Chicago)

Gregory Graham (Fermilab)

Leigh Grundhoefer (University of Indiana)

Anne Heavey (Fermilab)

Joe Kaiser (Fermilab)

Tanya Levshina (Fermilab)

Ruth Pordes (Fermilab)

Vijay Sekhri (Fermilab)

Dane Skow (Fermilab)

John Weigand (Fermilab)

Yujun Wu (Fermilab)

09/29/2004 CHEP 2004 3

Presentation overview

• Introduction• Stakeholders and collaborators• VO Management Infrastructure at Fermilab• VO Membership Registration Service• Identifying the workflow• VO Concepts• VO Roles• VOMRS Architecture• WEBUI Screenshots• What’s next?• Summary

09/29/2004 CHEP 2004 4

Introduction

US CMS, SDSS, and iVDGL have sponsored an effort at Fermilab,

the VOX Project (VO Management Service eXtension), to

investigate and implement the requirements, both policy-related

and technical, for admitting collaborators into a VO, and facilitating

and monitoring their authorization to access the available grid

resources.

This effort has resulted in a study and understanding of the

necessary workflow, and the creation of a prototype

VO Membership Registration Service (VOMRS), which is a

principal component of the VOX project.

09/29/2004 CHEP 2004 5

Stakeholders and Collaborators

• Stakeholders:– US CMS – Fermilab Computing Facility – iVDGL – SDSS

• Collaborators– BNL – VOMRS architecture, registration process, common

interfaces – EGEE(EDG)/DataTag – VOMS core and admin software– VDT (U of Wisconsin), Virginia Tech - ongoing communication and

agreements with Globus on gatekeeper and authorization callouts

09/29/2004 CHEP 2004 6

VO Management Infrastructureat Fermilab (I)

VOX Project

PrivilegeProject

VOMSProject

VOMS Admin and Core

Services

SAZ

GUMS

VOMRS

Fermilab Grid Cluster

Gatekeeper &PRIMA module

Local CenterRegistrationService

registervoms-proxy-init

synchronize

proxy certificate

authorize

authorize

authenticate

09/29/2004 CHEP 2004 7

VO Management Infrastructureat Fermilab (II)

VOX Project:• VOMRS (VO Membership Registration Service) provides a registration service that

– allows a single point of registration with a VO– facilitates, negotiates and monitors the process of a member’s authorization to grid resources– provides centralized storage of membership information and a means to query said information

• SAZ (Site Authorization Service) allows security authorities of the local site to control access to the site’s resources

VOMS Project:• EGEE (EDG) VOMS Admin service provides centralized storage of member dn,ca, groups

and roles, means to handle this data. • DataTag VOMS Core service gives out extended proxy upon member’s request.

Privilege Project automates and facilitates the process of managing fine grain access to a local grid element:• PRIMA authorization module at the gatekeeper

– elicits information from provided VOMS attributes and other sources– queries a site centralized grid user management server

• GUMS (grid user management) server provides– site-consistent user and group assignment– interfaces and extensions to the data storage systems

09/29/2004 CHEP 2004 8

VOMRS: Identifying the workflow

• Understand that VO registration is a multi-level process (institution, grid site, country, VO).

• Identify necessary elements of the registration procedure and develop a model workflow.

• Identify administrative roles and responsibilities.• Identify various implications of our model on sites

and site policies.• Realize that the implementing technology must be

flexible to accommodate the different levels of policies and requirements and to anticipate ongoing changes.

09/29/2004 CHEP 2004 9

VO Concepts • Grid, VO, Certificate (DN,CA,..), Grid resource, Grid job …• Experiment:

represents research activities that are specific to a particular VO.• Group and group roles:

an experiment contains groups. Group may have sub-groups. Group and group roles are included as attributes in a proxy certificate

• Institution:is an organization whose members participate in experiments within aparticular VO.

• Grid site:is an institution that provides grid resources. Each site has policies that require specific personal information.

• Personal information: private and public data about an individual that is collected by the VO.

• Notification Event:an action taken by the registration software that notifies interested members of a change within the VO and describes any required responses if any.

• Role:defines actions that a VO Member can perform within the VO and information that a VO Member can access. A VO member can have one or more roles. A VO member event notification depends on member’s role.

09/29/2004 CHEP 2004 10

Roles (I)• Applicant:

– An experimenter who belongs to one of the VO institutions and possesses a certificate from one of the VO-approved Certificate Authorities. An applicant has submitted a VO registration form but has not yet been approved.

• Member:– An applicant who has been approved. A member can submit

jobs to the Grid. By default a member is assigned to an experiment wide group.

• VO administrator: – A designated VO member who is in charge of registration and

has access to all information collected by the VO. He is responsible for assigning administrative roles.

09/29/2004 CHEP 2004 11

Roles (II)• Institutional VO representative:

– Vouches for the identity of an applicant.

– Upon registration a member can select a representative from the list of known representatives. The selected representative does not necessarily belong to the member’s institution.

• Grid site administrator:– Assigns/revokes the role of System Administrator or Local

Resource Provider to/from the VO members affiliated with the site

– Administers authorization of VO member to the site. The details are site specific and depends on regulations and policies of each particular site.

• Local resource provider:– Administers authorization a member to use the grid resource (this

could include addition of this member to the gridmapfile, mapping member to local account, etc)

09/29/2004 CHEP 2004 12

Institution

Representative

Registration Flow

Grid Site

Site Admin

LRPS

Site Admin

LRPS

Grid Site

VOMRS EDG VOMS Proxy Server

VO Central Node

synchronize

Applicantregister

notifyapprove

Memberquery

notify approve notify

approve

notify approve

notify approve

09/29/2004 CHEP 2004 13

VOMRS Architecture

ClientIF

Registrar( WorkflowManager)

EventManager

Server

Synchronizer

EDG VOMS ADMIN API

VOMRS DBWeb

Services/Servlets

Web Services/Servlets

CLI

Member

WEBCLIENT

EDG VOMS DB

EDG Trust Manager

GSI

HTTPS/SSL

09/29/2004 CHEP 2004 14

VOMRS WEBUI (Home page, Group page…)

09/29/2004 CHEP 2004 15

VOMRS WEBUI(registration)

USCMS VO Registration

09/29/2004 CHEP 2004 16

VOMRS WEBUI(member search)

09/29/2004 CHEP 2004 17

VOMRS WEBUI (subscribe to event)

Date: Tue, 21 Sep 2004 13:43:20 -0600From: USCMS-admin@hotdog62.fnal.govSubject: AUTOMATIC NOTIFICATION FROM VOMRS USCMSTo: undisclosed-recipients: ;

Dear Administrator,We have received a request from a person with Distinguished Name/DC=org/DC=doegrids/OU=People/CN=Anne Heavey 995073

issued by Certificate Authority/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1

to join VO USCMS. You can check member's personal information.You can approve or deny member's request.

VO Administrator

Notification Event Example:

09/29/2004 CHEP 2004 18

What’s Next?

• Continue collaboration with, BNL, SDSS, ivDGL, LCG User Registration Task Force etc

• Implement multiple new features requested by collaborators:– VO membership expiration and renewal processes

– Email verification

– Interface to organizational human resource database (LCG requirement)

• Continue support for VOMRS instances installed at Fermilab and BNL

• Deploy test installation of VOMRS at CERN

09/29/2004 CHEP 2004 19

Summary

The VO Membership Registration Service that allows grid user to become a member of Virtual Organization has been developed. It provides a flexible mechanism to collect member’s personal data as well as manage registration workflow. Several instances of VOMRS has been deployed at Fermilab and BNL.We greatly appreciate discussions, support and software contributions provided by our collaborators.There are still a lot of features that need to be implemented.• More info:

http://www.uscms.org/s&c/VO

• E-mail:vo-project@fnal.gov